Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

PlainsCapital

A new twist on an old type of stupdity.


Get It

Try It

LUBBOCK (Rixstep) -- Hillary Machinery lost over $800,000 through an attack on their Windows computers, their bank PlainsCapital were able to return roughly $600,000 - and now PlainsCapital are suing Hillary Machinery.

Hillary Machinery previously accused PlainsCapital of not implementing reasonable security procedures. PlainsCapital do not agree - but they're hiring a 'wire transfer risk specialist' anyway.

They're looking for someone with at least a high school education (or a first university degree, depending on where you read) and one year's experience. Everyone surely wishes them luck.

The Wire Transfer Risk Specialist's primary responsibility is to detect and prevent risk involved in the wire transfer process. The position assesses internal controls and customer activity to improve fraud detection. Processes wire transfer requests in a backup role when required.

Minimum of one year directly related experience. Should have a strong understanding of entire wire transfer process. Strong computer skills including proficiency at Microsoft Office.


The position should be easy to fill. Particularly in these tough times. But in this chaotic world given us so generously by the crooks in Redmond, are we to be shocked when two bastions of ineptitude start panicking because they've lost more money and start pointing fingers at one another?

Of course not. So who's the culprit here? Who's the real idiot? Hillary Machinery or PlainsCapital? Both. Sort of.



One look at the Hillary Machinery website should get people thinking they don't have a clue. All anyone really knows is they don't have a very good webmeister. But the odds are they don't exactly employ a security expert either.

The attack also fits a well known pattern - a pattern Brian Krebs has been writing about for a long long time now. A Windows PC gets hacked, banking credentials are hijacked, the money mules move in. Done deal.

At least Hillary Machinery have the perspicacity to run a good web server. But PlainsCapital don't have even that.

HTTP/1.1 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 70210
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html
 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Expires: Tue, 12 Jan 2010 02:50:02 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
MicrosoftSharePointTeamServices: 12.0.0.6421
Connection: close

There are zero-days out in the wild for IIS/ASP. It's such a horrible system that the GAO and Gartner both told people to stop using it, that it cannot even be fixed. And yet here one has a banking institution using it. Why? Brian Krebs says it's a matter of different approaches to online banking customers.

  • For ordinary customers. 'Thanks for banking with us. And don't worry - we will put your money back in our super-secure vault and even if somebody should break in and rob the place, your money will still be safe because it's protected by armed guards and six inches of steel. And even if they get past all that and steal cash from the vault, we'll replace any money that was yours.'

  • For corporations. 'Thanks for banking with us. And don't worry - we'll keep your money in our super-secure vault. Oh yeah - here's the key to the vault by the way. Don't you lose it!'

But of course they do lose it - they're running Windows. And banks running Microsoft IIS/ASP to protect customer funds are criminally irresponsible.

This kind of nonsense has to stop. And if you want to see how widespread this nonsense is, click the following link. See how many of the Windows fanboy sites have comments. See how many comments point out the not so subtle fact that none of this would have happened if the crime gangs hadn't been able to hack into the Windows PCs at Hillary Machinery, install keystroke loggers or whatever they did, and then use that information to rifle the Hillary Machinery bank account.

http://www.google.com/search?q=Hillary+Machinery+PlainsCapital

That PlainsCapital acted quickly and were able to retrieve $600,000 of the lost $800,000 is admirable. It doesn't get them off the hook but it's a step in the right direction.

It was the account (and Windows PC) of one Pauletta Landers at Hillary Machinery that was hacked and used for the exploit.

This memo is provided to give detailed information regarding the recent Internet Banking System activity initiated by User: Pauletta Landers - Login ID: PAULETTALAHM.

In order to access the Internet Banking system, a user must not only enter a username and password but they must also register their computer. The process of registering a computer to be used in conjunction with the specific login credentials involves receiving a secure access code, which is delivered to a specified email or phone number tied to the user account.

After review of the Internet Banking System logs, I identified two recent secure access code requests on November 8, 2009. The below information is the date, time stamp, and target delivery point of the two security access code requests.

Date — Time — Delivery Point:

11-08-2009 — 17:46:52:907 — PLANDERS@HILLARYINC.COM
11-08-2009 — 17:44:25:970 — PLANDERS@HILLARYINC.COM

The logs identify that the secure access code emails sent to PLANDERS@HILLARYINC.COM were delivered to a DNS registration [belonging to Earthlink and not Hillary].

The logs indicated that the secure access code requests came from the authenticated Login ID of PAULETTALAHM at the IP address of 93.144.115.214.

The logs also evidence that the following IP address was the source address that was conducting the transactions on November 9, 2009:

79.116.243.245

The logs also evidence that the following IP address was a source address that was conducting the transactions on November 10, 2009:

188.24.220.3

93.144.115.214 is in Italy.

inetnum:        93.144.0.0 - 93.145.255.255
netname:        OPITEL
descr:          IP addresses allocated to DSL customers
country:        IT
admin-c:        LV1834-RIPE
tech-c:         RD2747-RIPE
status:         ASSIGNED PA
mnt-by:         VODAFONE-IT-MNT
source:         RIPE # Filtered

person:         Luca Vit
address:        Vodafone N.V.
address:        Via Jervis,13
address:        I-10015 Ivrea, TO
address:        Italy
nic-hdl:        LV1834-RIPE
mnt-by:         VODAFONE-IT-MNT
phone:          +39 0125624819
source:         RIPE # Filtered

person:         Roberto De Cristofaro
address:        Vodafone N.V.
address:        Via Jervis,13
address:        I-10015 Ivrea, TO
address:        Italy
phone:          +39 0125624624
nic-hdl:        RD2747-RIPE
source:         RIPE # Filtered

79.116.243.245 is in Romania.

inetnum:        79.116.192.0 - 79.116.255.255
netname:        RO-RCS-RDS-FIBERLINK
descr:          RCS & RDS S.A.
descr:          FiberLink Customers
descr:          Brasov
country:        RO
admin-c:        RDS-RIPE
tech-c:         RDS-RIPE
status:         ASSIGNED PA
mnt-by:         AS8708-MNT
source:         RIPE # Filtered

role:           Romania Data Systems NOC
address:        71-75 Dr. Staicovici
address:        Bucharest / ROMANIA
phone:          +40 21 30 10 888
fax-no:         +40 21 30 10 892
abuse-mailbox:  abuse@rcs-rds.ro
admin-c:        CN19-RIPE
admin-c:        GEPU1-RIPE
admin-c:        SG4300-RIPE
tech-c:         CN19-RIPE
tech-c:         GEPU1-RIPE
tech-c:         SG4300-RIPE
nic-hdl:        RDS-RIPE
mnt-by:         AS8708-MNT
remarks:        +--------------------------------------------------------------+
remarks:        |    ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK ATTACKS,  |
remarks:        |    ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.    |
remarks:        | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE PROBLEMS !! |
remarks:        +--------------------------------------------------------------+
source:         RIPE # Filtered

188.24.220.3 is in Romania too.

inetnum:        188.24.0.0 - 188.27.255.255
netname:        RO-RDS-20070529
org:            ORG-RA18-RIPE
descr:          RCS & RDS SA
country:        RO
admin-c:        CN19-RIPE
tech-c:         RDS-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      AS8708-MNT
mnt-routes:     AS8708-MNT
source:         RIPE # Filtered

organisation:   ORG-RA18-RIPE
org-name:       RCS & RDS SA
org-type:       LIR
address:        Romania Data Systems SA
                Ciprian Nica
                Forum 2000 Building
                71-75 Dr. Staicovici
                050557 Bucharest
                Romania
phone:          +40 21 301 0850
phone:          +40 31 400 4243
fax-no:         +40 31 400 4207
admin-c:        CN19-RIPE
mnt-ref:        AS8708-MNT
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
source:         RIPE # Filtered

role:           Romania Data Systems NOC
address:        71-75 Dr. Staicovici
address:        Bucharest / ROMANIA
phone:          +40 21 30 10 888
fax-no:         +40 21 30 10 892
abuse-mailbox:  abuse@rcs-rds.ro
admin-c:        CN19-RIPE
admin-c:        GEPU1-RIPE
admin-c:        SG4300-RIPE
tech-c:         CN19-RIPE
tech-c:         GEPU1-RIPE
tech-c:         SG4300-RIPE
nic-hdl:        RDS-RIPE
mnt-by:         AS8708-MNT
remarks:        +--------------------------------------------------------------+
remarks:        |    ABUSE CONTACT: abuse@rcs-rds.ro IN CASE OF HACK ATTACKS,  |
remarks:        |    ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.    |
remarks:        | !! PLEASE DO NOT CONTACT OTHER PERSONS FOR THESE PROBLEMS !! |
remarks:        +--------------------------------------------------------------+
source:         RIPE # Filtered

person:         Ciprian Nica
remarks:        Senior IP Engineer
remarks:        Romania Data Systems
address:        Bucharest, Romania
phone:          + 40 31 400 42 43
abuse-mailbox:  abuse@rcs-rds.ro
remarks:        ------------------------------------------------
remarks:        | Please don't send me any abuse complaints.   |
remarks:        | Use abuse@rcs-rds.ro for that or contact     |
remarks:        | your service provider or local authorities   |
remarks:        | !! DO NOT CALL ME REGARDING ABUSE ISSUES !!  |
remarks:        ------------------------------------------------
nic-hdl:        CN19-RIPE
mnt-by:         NIMACI-MNT
source:         RIPE # Filtered

At time of writing, neither Italy nor Romania are part of the state of Texas. Although the way things are going, that could change at any time.

This is what PlainsCapital say in their lawsuit submitted on 31 December.

  1. In 2005, PlainsCapital and Defendant entered into a Commercial Account Agreement and a Wire Transfer Authorization Agreement.

  2. In connection with its commercial accounts, Defendant utilized the PlainsCapital internet banking system, including its deposit, wire transfer and bill payment functions.

  3. On November 9 and 10 of 2009, PlainsCapital received certain wire transfer orders in the name of Defendant through the PlainsCapital internet banking system.

  4. Later, Defendant notified PlainsCapital that certain wire transfer orders that had been placed through the PlainsCapital internet banking system and verified pursuant to the security procedure in place were, in fact, not initiated by Defendant.

  5. The total amount of the allegedly unauthorized transfer orders was $801,495.00.

  6. PlainsCapital made every effort to recover monies transferred through the FedWire Funds Transfer System and indeed was successful in recovering almost $600,000 of the allegedly unauthorized transfers.

  7. In a letter dated December 11, 2009, Defendant alleged that PlainsCapital internet banking system failed to employ commercially reasonable security measures and that PlainsCaptial was responsible for all unrecoverable monies transferred from Defendant's accounts.

  8. PlainsCapital has declined Defendant's demand for a refund of unrecoverable monies transferred pursuant to the allegedly unauthorized wire transfer orders.

So what do PlainsCapital want? Here's where the things get really tasty!

  • PlainsCapital has at all times maintained commercially reasonable security measures within the meaning of 12 C.F.R. §§ 4A-201 and 4A-202.

  • PlainsCapital accepted the wire transfer orders in good faith.

How do you accept wire transfer requests from Italy and Romania in good faith?

  • On information and belief, the allegedly unauthorized wire transfer orders were caused by a person who obtained access to transmitting facilities of the Defendant or who obtained, from a source controlled by Defendant and without authority of PlainsCapital, information facilitating breach of the security procedure.

Everybody already knows that. Pauletta's Windows PC was toast just like literally hundreds of millions of others.

  • PlainsCapital is entitled to enforce the wire transfer orders to the extent monies transferred are not otherwise recoverable from the beneficiaries of the orders.

Even if you fucked up and didn't check the sending IPs from Italy and Romania?

  • PlainsCapital is entitled to a declaratory judgment that its security procedures are commercially reasonable, that it is entitled to enforce the wire transfer orders and that it has not breached its obligations under the terms of either Commercial Account Agreement or the Wire Transfer Authorization Agreement.

PlainsCapital aren't entitled to shit. Their security procedures are not commercially reasonable, they really screwed up by allowing the wire transfer orders, and they have fully and completely breached their obligations.

PlainsCapital had no IP check procedure in place. They first discovered what was going on four days after it had begun.

Pauletta was and remains an idiot for using Microsoft Windows in the first place. But ask any online merchant about checking sender IPs. Any one. Ask any credit card company about checking points of purchase. Any one. PlainsCapital didn't do anything of the sort.

Of course none of this would have happened without the assistance of Microsoft software. But in the meantime, until all the Windows fanboys and lame corporations wake up, hunting scapegoats for these unnecessary tragedies is going to be the rule of the day.

The question is how many more hundreds of millions will have to be lost before governments start declaring not only Internet Explorer but Windows itself unfit for use.

See Also
Krebs on Security: Texas Bank Sue Customer Hit by $800,000 Cyber Heist

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.